CVE-2011-0419 in Ubuntu

CVE-2011-0419

Priority

Description

Stack consumption vulnerability in the fnmatch implementation in
apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and
the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD
5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and
Android, allows context-dependent attackers to cause a denial of service
(CPU and memory consumption) via *? sequences in the first argument, as
demonstrated by attacks against mod_autoindex in httpd.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419
https://ubuntu.com/security/notices/USN-1134-1

Notes

jdstrand	TODO: also check apr-util
sbeattie	update for apr-util is not needed.

Package

Source: apache2 (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (uses system apr)

Patches:

Package

Source: apr (LP Ubuntu Debian)

Upstream:	released (1.4.4-1)
Ubuntu 22.04 LTS (Jammy Jellyfish):	not-affected (1.4.5-1)

Patches:

Vendor:	http://www.debian.org/security/2011/dsa-2237
Vendor:	https://rhn.redhat.com/errata/RHSA-2011-0507.html

More Information

Updated: 2022-02-10 23:49:58 UTC (commit acb3d89ab51f1d5e5543fa993969c0eb13c71f04)